feat: add login failed ban ip list

Author: 0xJacky

api/settings/auth.go

@@ -0,0 +1,45 @@
+package settings
+
+import (
+	"github.com/0xJacky/Nginx-UI/api"
+	"github.com/0xJacky/Nginx-UI/query"
+	"github.com/0xJacky/Nginx-UI/settings"
+	"github.com/gin-gonic/gin"
+	"net/http"
+	"time"
+)
+
+func GetBanLoginIP(c *gin.Context) {
+	b := query.BanIP
+
+	// clear expired banned IPs
+	_, _ = b.Where(b.ExpiredAt.Lte(time.Now().Unix())).Delete()
+
+	banIps, err := b.Where(
+		b.ExpiredAt.Gte(time.Now().Unix()),
+		b.Attempts.Gte(settings.AuthSettings.MaxAttempts)).Find()
+	if err != nil {
+		api.ErrHandler(c, err)
+		return
+	}
+	c.JSON(http.StatusOK, banIps)
+}
+
+func RemoveBannedIP(c *gin.Context) {
+	var json struct {
+		IP string `json:"ip"`
+	}
+	if !api.BindAndValid(c, &json) {
+		return
+	}
+
+	b := query.BanIP
+	_, err := b.Where(b.IP.Eq(json.IP)).Delete()
+
+	if err != nil {
+		api.ErrHandler(c, err)
+		return
+	}
+
+	c.JSON(http.StatusNoContent, nil)
+}

api/settings/router.go

@@ -0,0 +1,14 @@
+package settings
+
+import (
+	"github.com/gin-gonic/gin"
+)
+
+func InitRouter(r *gin.RouterGroup) {
+	r.GET("settings/server/name", GetServerName)
+	r.GET("settings", GetSettings)
+	r.POST("settings", SaveSettings)
+
+	r.GET("settings/auth/banned_ips", GetBanLoginIP)
+	r.DELETE("settings/auth/banned_ip", RemoveBannedIP)
+}

api/system/settings.go renamed to api/settings/settings.go

@@ -1,4 +1,4 @@
-package system
+package settings
 
 import (
 	"github.com/0xJacky/Nginx-UI/api"
@@ -20,6 +20,7 @@ func GetSettings(c *gin.Context) {
 		"nginx":     settings.NginxSettings,
 		"openai":    settings.OpenAISettings,
 		"logrotate": settings.LogrotateSettings,
+		"auth":      settings.AuthSettings,
 	})
 }
 
@@ -29,6 +30,7 @@ func SaveSettings(c *gin.Context) {
 		Nginx     settings.Nginx     `json:"nginx"`
 		Openai    settings.OpenAI    `json:"openai"`
 		Logrotate settings.Logrotate `json:"logrotate"`
+		Auth      settings.Auth      `json:"auth"`
 	}
 
 	if !api.BindAndValid(c, &json) {
@@ -44,6 +46,7 @@ func SaveSettings(c *gin.Context) {
 	settings.ProtectedFill(&settings.NginxSettings, &json.Nginx)
 	settings.ProtectedFill(&settings.OpenAISettings, &json.Openai)
 	settings.ProtectedFill(&settings.LogrotateSettings, &json.Logrotate)
+	settings.ProtectedFill(&settings.AuthSettings, &json.Auth)
 
 	err := settings.Save()
 	if err != nil {

api/system/router.go

@@ -1,21 +1,17 @@
 package system
 
 import (
-    "github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin"
 )
 
 func InitPublicRouter(r *gin.RouterGroup) {
-    r.GET("install", InstallLockCheck)
-    r.POST("install", InstallNginxUI)
-    r.GET("translation/:code", GetTranslation)
+	r.GET("install", InstallLockCheck)
+	r.POST("install", InstallNginxUI)
+	r.GET("translation/:code", GetTranslation)
 }
 
 func InitPrivateRouter(r *gin.RouterGroup) {
-    r.GET("settings/server/name", GetServerName)
-    r.GET("settings", GetSettings)
-    r.POST("settings", SaveSettings)
-
-    r.GET("upgrade/release", GetRelease)
-    r.GET("upgrade/current", GetCurrentVersion)
-    r.GET("upgrade/perform", PerformCoreUpgrade)
+	r.GET("upgrade/release", GetRelease)
+	r.GET("upgrade/current", GetCurrentVersion)
+	r.GET("upgrade/perform", PerformCoreUpgrade)
 }

api/user/auth.go

@@ -4,12 +4,17 @@ import (
 	"github.com/0xJacky/Nginx-UI/api"
 	"github.com/0xJacky/Nginx-UI/internal/logger"
 	"github.com/0xJacky/Nginx-UI/internal/user"
+	"github.com/0xJacky/Nginx-UI/query"
+	"github.com/0xJacky/Nginx-UI/settings"
 	"github.com/gin-gonic/gin"
 	"github.com/pkg/errors"
 	"net/http"
+	"sync"
 	"time"
 )
 
+var mutex = &sync.Mutex{}
+
 type LoginUser struct {
 	Name     string `json:"name" binding:"required,max=255"`
 	Password string `json:"password" binding:"required,max=255"`
@@ -29,6 +34,25 @@ type LoginResponse struct {
 }
 
 func Login(c *gin.Context) {
+	// make sure that only one request is processed at a time
+	mutex.Lock()
+	defer mutex.Unlock()
+	// check if the ip is banned
+	clientIP := c.ClientIP()
+	b := query.BanIP
+	banIP, _ := b.Where(b.IP.Eq(clientIP),
+		b.ExpiredAt.Gte(time.Now().Unix()),
+		b.Attempts.Gte(settings.AuthSettings.MaxAttempts),
+	).Count()
+
+	if banIP > 0 {
+		c.JSON(http.StatusTooManyRequests, LoginResponse{
+			Message: "Max attempts",
+			Code:    ErrMaxAttempts,
+		})
+		return
+	}
+
 	var json LoginUser
 	ok := api.BindAndValid(c, &json)
 	if !ok {
@@ -37,7 +61,7 @@ func Login(c *gin.Context) {
 
 	u, err := user.Login(json.Name, json.Password)
 	if err != nil {
-		time.Sleep(5 * time.Second)
+		// time.Sleep(5 * time.Second)
 		switch {
 		case errors.Is(err, user.ErrPasswordIncorrect):
 			c.JSON(http.StatusForbidden, LoginResponse{
@@ -52,9 +76,13 @@ func Login(c *gin.Context) {
 		default:
 			api.ErrHandler(c, err)
 		}
+		user.BanIP(clientIP)
 		return
 	}
 
+	// login success, clear banned record
+	_, _ = b.Where(b.IP.Eq(clientIP)).Delete()
+
 	logger.Info("[User Login]", u.Name)
 	token, err := user.GenerateJWT(u.Name)
 	if err != nil {

app/src/api/curd.ts

@@ -13,7 +13,7 @@ export interface Pagination {
   total_pages: number
 }
 
-export interface IGetListResponse<T> {
+export interface GetListResponse<T> {
   data: T[]
   pagination: Pagination
 }
@@ -35,7 +35,7 @@ class Curd<T> {
   }
 
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  _get_list(params: any = null): Promise<IGetListResponse<T>> {
+  _get_list(params: any = null): Promise<GetListResponse<T>> {
     return http.get(this.plural, { params })
   }
 

app/src/api/settings.ts

@@ -1,17 +1,27 @@
 import http from '@/lib/http'
 
+export interface BannedIP {
+  ip: string
+  attempts: number
+  expired_at: string
+}
+
 const settings = {
-  get() {
+  get<T>(): Promise<T> {
     return http.get('/settings')
   },
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  save(data: any) {
+  save<T>(data: T) {
     return http.post('/settings', data)
   },
-
-  get_server_name() {
+  get_server_name(): Promise<{ name: string }> {
     return http.get('/settings/server/name')
   },
+  get_banned_ips(): Promise<BannedIP[]> {
+    return http.get('/settings/auth/banned_ips')
+  },
+  remove_banned_ip(ip: string) {
+    return http.delete('/settings/auth/banned_ip', { data: { ip } })
+  },
 }
 
 export default settings

app/src/language/LINGUAS

@@ -1 +1 @@
-es fr_FR ko_KR ru_RU vi_VN zh_CN zh_TW
+en zh_CN zh_TW fr_FR es ru_RU vi_VN ko_KR